Closed Bug 724356 Opened 13 years ago Closed 13 years ago

Crash @ gfxMixedFontFamily::ReplaceFontEntry

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Version:
13 Branch
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: scoobidiver, Assigned: jfkthame)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

patch, check the proxy's family pointer is still valid before using it
1011 bytes, patch
jtd
: review+
Details | Diff | Splinter Review
It's a new crash signature that first appeared in 13.0a1/20120204. The regression range is: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e777c939a3f9&tochange=766a59650976 It's likely a regression from bug 721315. Signature gfxMixedFontFamily::ReplaceFontEntry(gfxFontEntry*, gfxFontEntry*) More Reports Search UUID 1d72c5fe-d632-4b79-b473-ba8082120205 Date Processed 2012-02-05 01:09:40 Uptime 67 Last Crash 1.1 minutes before submission Install Age 9.7 hours since version was first installed. Install Time 2012-02-04 15:25:00 Product Firefox Version 13.0a1 Build ID 20120204031137 Release Channel nightly OS Windows NT OS Version 6.1.7601 Service Pack 1 Build Architecture x86 Build Architecture Info GenuineIntel family 6 model 23 stepping 10 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x14 App Notes AdapterVendorID: 0x8086, AdapterDeviceID: 0x2e32, AdapterSubsysID: 02f51028, AdapterDriverVersion: 8.15.10.2302 D2D? D2D+ DWrite? DWrite+ D3D10 Layers? D3D10 Layers+ EMCheckCompatibility True Frame Module Signature [Expand] Source 0 xul.dll gfxMixedFontFamily::ReplaceFontEntry obj-firefox/dist/include/gfxUserFontSet.h:117 1 xul.dll nsUserFontSet::ReplaceFontEntry layout/style/nsFontFaceLoader.cpp:711 2 xul.dll gfxUserFontSet::OnLoadComplete gfx/thebes/gfxUserFontSet.cpp:563 3 mozglue.dll je_free memory/jemalloc/jemalloc.c:6580 4 mozglue.dll je_free memory/jemalloc/jemalloc.c:6580 5 mozglue.dll je_free memory/jemalloc/jemalloc.c:6580 6 xul.dll nsTArray_base<nsTArrayDefaultAllocator>::ShiftData obj-firefox/dist/include/nsTArray-inl.h:266 7 mozglue.dll je_free memory/jemalloc/jemalloc.c:6580 8 xul.dll nsTArray_base<nsTArrayDefaultAllocator>::ShiftData obj-firefox/dist/include/nsTArray-inl.h:266 9 xul.dll nsHttpChannel::QueryInterface netwerk/protocol/http/nsHttpChannel.cpp:3630 10 xul.dll nsCOMPtr_base::assign_from_qi obj-firefox/xpcom/build/nsCOMPtr.cpp:96 11 xul.dll nsFontFaceLoader::OnStreamComplete layout/style/nsFontFaceLoader.cpp:245 12 xul.dll nsStreamLoader::OnDataAvailable netwerk/base/src/nsStreamLoader.cpp:182 13 xul.dll nsStreamLoader::OnStopRequest netwerk/base/src/nsStreamLoader.cpp:127 14 xul.dll nsCORSListenerProxy::OnStopRequest content/base/src/nsCrossSiteListenerProxy.cpp:646 15 xul.dll nsHttpChannel::OnStopRequest netwerk/protocol/http/nsHttpChannel.cpp:4355 16 xul.dll nsInputStreamPump::OnStateStop netwerk/base/src/nsInputStreamPump.cpp:583 17 xul.dll nsInputStreamPump::OnInputStreamReady netwerk/base/src/nsInputStreamPump.cpp:405 18 xul.dll nsInputStreamReadyEvent::Run xpcom/io/nsStreamUtils.cpp:114 19 xul.dll nsThread::ProcessNextEvent xpcom/threads/nsThread.cpp:657 20 xul.dll nsTArray<nsTimerImpl*,nsTArrayDefaultAllocator>::IndexOf<nsTimerImpl*,nsDefaultComparator<nsTimerImpl*,nsTimerImpl*> > obj-firefox/dist/include/nsTArray.h:652 21 nspr4.dll PR_Unlock nsprpub/pr/src/threads/combined/prulock.c:347 22 xul.dll TimerThread::RemoveTimer xpcom/threads/TimerThread.cpp:435 23 xul.dll mozilla::ipc::MessagePump::Run ipc/glue/MessagePump.cpp:110 24 xul.dll MessageLoop::RunHandler ipc/chromium/src/base/message_loop.cc:201 25 xul.dll MessageLoop::Run ipc/chromium/src/base/message_loop.cc:175 26 xul.dll nsBaseAppShell::Run widget/xpwidgets/nsBaseAppShell.cpp:189 27 xul.dll nsAppShell::Run widget/windows/nsAppShell.cpp:258 28 xul.dll nsAppStartup::Run toolkit/components/startup/nsAppStartup.cpp:220 29 xul.dll XRE_main toolkit/xre/nsAppRunner.cpp:3537 30 firefox.exe wmain toolkit/xre/nsWindowsWMain.cpp:107 More reports at: https://crash-stats.mozilla.com/report/list?signature=gfxMixedFontFamily%3A%3AReplaceFontEntry%28gfxFontEntry*%2C%20gfxFontEntry*%29
This crash signature is triggered by bug 721315, I think, but it's really just highlighting a pre-existing problem that could have led to unpredictable behavior due to using a potentially-invalid family record.
Assignee: nobody → jfkthame
Attachment #594530 - Flags: review?(jdaggett)
Jonathan, how do we hit this codepath with mFamily == nsnull?
I suspect we could hit this if the user font set has been deleted (e.g. due to navigating away from the page) immediately before the font loader completes, so the font set deletes the family (which now, since bug 721315, causes it to invalidate the mFamily pointers in its faces).
Attachment #594530 - Flags: review?(jdaggett) → review+
Pushed to inbound: https://hg.mozilla.org/integration/mozilla-inbound/rev/7c4257358d6a
Target Milestone: --- → mozilla13
https://hg.mozilla.org/mozilla-central/rev/7c4257358d6a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: